Splunk Search

How to calculate number of days between the beginning of the month to a date within the same month?

ASISH_9
Engager

Let's say the date is 20th of feb, 2017. I need to calculate the number of days starting from 1st feb, 2017 till 20th feb, 2017 ie 20 days. How can I calculate this?

0 Karma

somesoni2
Revered Legend

Assuming you've a field "date" with format "%Y-%m-%d", you can do something like this (run anywhere sample, replace first two lines with your base search)

| makeresults | eval date="2017-02-20" | table date | eval startOfMonth=relative_time(strptime(date,"%Y-%m-%d"),"@mon") | eval noOfDays=round((strptime(date,"%Y-%m-%d")-startOfMonth)/86400+1)
0 Karma

sjbriggs
Path Finder

I have a report that runs every day and is doing calculations based on the number of days that have occurred so far.  After pulling my hair out and using a variety of techniques posted in these forums, I ended up with:

| eventstats dc(date_mday) AS daysInMonth

Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found.

0 Karma

cmerriman
Super Champion

are the dates you are calculating between values in fields? Are they the range from the time picker?

If they are values in fields, it'd be as simple as |eval daysBetween=round((time2-time1)/86400,0) given that the time fields are in epoch, if not, you'll need to do some more evaling with either strftime

If the values are from the time picker, use

|gentimes start=-1 | addinfo | dedup info_min_time info_max_time 
          | eval daysBetween=round((info_max_time-info_min_time)/86400,2)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...